SlideShare a Scribd company logo

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

H
Hervé Boutemy

Reproducible Builds

Software
1 of 35
for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
Reproducible Builds: what? why? how?
input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
Gradle in Reproducible Central Need Help!
Reproducible Builds for sbt Need Help!
Quiz: to be or not to be Reproducible ?
#1 Reproducible or not? ?
#2 Reproducible or not? ?
#2 Reproducible or not? ?
?
#2 Reproducible or not?
#3 Reproducible or not? ?
#3 Reproducible or not?
#4 Reproducible or not? ? PLEASE use only LTS for release
#4 Reproducible or not? ? PLEASE use only LTS for release
What’s next?
for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
Merci

Recommended

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Maven
MavenMaven
MavenМарія Русин
 
Maven
MavenMaven
MavenFabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld PresentationDan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow
 
Maven
MavenMaven
MavenShraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 

Recommended

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Maven
MavenMaven
MavenМарія Русин
 
Maven
MavenMaven
MavenFabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld PresentationDan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow
 
Maven
MavenMaven
MavenShraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
tools cli java
tools cli javatools cli java
tools cli javaTiNguyn863920
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven Ankit Gubrani
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group CologneSoftware Entwicklung Beratung Schulung
 
Java build tools
Java build toolsJava build tools
Java build toolsSujit Kumar
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at ØredevMatthew McCullough
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using ShipkitMarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgMarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package ManagerDMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenBert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with DjangoRoger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & ToolsLuismi Amorós Martínez
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOTVMware Tanzu
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

More Related Content

Similar to CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven Ankit Gubrani
 
Java build tools
Java build toolsJava build tools
Java build toolsSujit Kumar
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using ShipkitMarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgMarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package ManagerDMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenBert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with DjangoRoger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOTVMware Tanzu
 

Similar to CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx (20)

Maven nutshell
Maven nutshellMaven nutshell
Maven nutshell
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
tools cli java
tools cli javatools cli java
tools cli java
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group Cologne
 
Java build tools
Java build toolsJava build tools
Java build tools
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at Øredev
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.org
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package Manager
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - Maven
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with Django
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
 

Recently uploaded

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 

Recently uploaded (20)

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

  • 1. for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
  • 2. About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
  • 3. Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
  • 5. input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 6. Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
  • 7. How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 8. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 9. Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11.
  • 13.
  • 14. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
  • 15. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
  • 16. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 17. Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
  • 18. Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 19. Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
  • 20. Gradle in Reproducible Central Need Help!
  • 21. Reproducible Builds for sbt Need Help!
  • 22. Quiz: to be or not to be Reproducible ?
  • 26. ?
  • 30. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 31. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 33. for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
  • 34. for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
  • 35. Merci

Editor's Notes

  1. Reproducible Builds started with Linux distributions: this provided much experience and tools when starting applying Reproducible Builds principles to Java, Maven and Maven Central. Today, after 4 years of hard work, more than 1600 releases from 500 projects were proven reproducible: it works at large scale! It's time to share learnings and try to expand to other languages used at the Apache Software Foundation. 40 minutes